On 11/9/2011 2:54 AM, Gnädinger Ralf wrote: > Hi Alon, > > I`ve done everything you wrote below. > Ping and reverse lookup work fine, servicePrincipalNames are set (kvno HOST > or HTTP/jp-sys8 works, with jp-sys8.joma.de not)... > > kvno HOST/jp-sys8 > HOST/[email protected]: kvno = 2 > > Kinit with HOST/jp-sys8 or HOST/jp-sys8.joma.de doesn`t work either.
Good to see that in a later note you say you have it working, but here are some other pitfalls in this process: First of all, Kerberos principal names are case sensitive, but Windows is case-insensitive. The principal, "HOST" service should be lower case "host". "HTTP" service should be upper case "HTTP" So avoid any case issues if at all possible. Some version of Windows will try an preserve the case that the client used, others will not. kinit is requesting a ticket for a user principal, and AD will look for the userPrincipalName attribute, not the servicePrincipalName. So check that the UPN for the account is host/[email protected] (FYI: If the userPrincipalName can not be found, AD can also look for a principal looking at sAMAccountName@DOMAIN. You also did not say if the kinit was using a password, or the keytab. To really see what is going on, a network trace with Wireshark would show a lot. Wireshark is able to format the unencrypted parts of the Kerberos packets. I assume you are using the ktpass.exe to create the keytab? With 2003, there was more then one version, and some hot fixes to ktpass, check that you have the latest. Also note that the AD account has only one password, and keys are generated when needed from the password, where as with a Kerberos keytab, each entry has its own key. So if you change the password in AD you have to update all the keytab entries to match. If as root you run klist -k -K /etc/krb5.keytab it will show the keys. All the DES keys should be the same, and all the ArcFour keys should be the same since they are all generated from the same password on the same account. > > The servicePrincipalNames in our AD: > > Registered ServicePrincipalNames for CN=jp-sys8,CN=Computers,DC=joma,DC=de: > HTTP/jp-sys8.joma.de > HTTP/jp-sys8 > HOST/jp-sys8.joma.de > HOST/JP-SYS8 > > My krb5.keytab has the following entries: > > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 2 host/[email protected] (DES cbc mode with CRC-32) > 2 host/[email protected] (DES cbc mode with RSA-MD5) > 2 host/[email protected] (ArcFour with HMAC/md5) > 2 host/[email protected] (DES cbc mode with CRC-32) > 2 host/[email protected] (DES cbc mode with RSA-MD5) > 2 host/[email protected] (ArcFour with HMAC/md5) > 2 [email protected] (DES cbc mode with CRC-32) > 2 [email protected] (DES cbc mode with RSA-MD5) > 2 [email protected] (ArcFour with HMAC/md5) > 2 HTTP/[email protected] (DES cbc mode with CRC-32) > 2 HTTP/[email protected] (DES cbc mode with RSA-MD5) > 2 HTTP/[email protected] (ArcFour with HMAC/md5) > 2 HTTP/[email protected] (DES cbc mode with CRC-32) > 2 HTTP/[email protected] (DES cbc mode with RSA-MD5) > 2 HTTP/[email protected] (ArcFour with HMAC/md5) > > Of course the authentication via apache2 wouldn`t work, I think kinit should > work first but I have no clue > what`s going wrong here :( > > Thanks > > Ralf > > -----Ursprüngliche Nachricht----- > Von: Alon Bar-Lev [mailto:[email protected]] > Gesendet: Mittwoch, 9. November 2011 08:46 > An: Gnädinger Ralf > Cc: [email protected] > Betreff: Re: 2003 R2 AD servicePrincipalName issue > > 0. Delete everything you did from active directory Computer spn and > everything. > > 1. Make sure active directory can resolve and reverse resolve your server. > ping server.xxx.com > ping -a ip.a.dd.res > > 2. Edit /etc/krb5.conf > --- > [libdefaults] > default_realm = XXX.COM > forwardable = true > > [realms] > > [domain_realm] > > [logging] > --- > > 3. Install samba > > 4. Edit /etc/smb.conf > Modify: > workgroup = XXX > security = ads > kerberos method = system keytab > client use spnego = yes > realm = XXX.COM > local master = no > > 5. Run: > # net ads join -U Administrator > # net ads testjoin > # net ads keytab create -U Administrator # net ads keytab add HTTP -U > Administrator > > 6. Allow apache access keytab > chgrp apache /etc/krb5.keytab > chmod g+r /etc/krb5.keytab > > 7. Configure mod_auth_kerb > --- > AuthName "Kerberos Login" > AuthType Kerberos > Krb5Keytab /etc/krb5.keytab > KrbAuthRealm XXX.COM > --- > > Good luck! > > 2011/11/9 Gnädinger Ralf<[email protected]> >> >> Hi all, >> >> I am trying to kerbernize my apache via mod_auth_kerb on a debian squeeze >> box with our company 2003 R2 active directory service. >> >> After I configured Kerberos on my linux box I am able to get a ticket using >> kinit username. >> >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: [email protected] >> >> Valid starting Expires Service principal >> 11/09/11 07:51:29 11/09/11 17:51:17 krbtgt/[email protected] >> renew until 11/10/11 07:51:29, Etype (skey, tkt): ArcFour with >> HMAC/md5, ArcFour with HMAC/md5 >> >> Then I created a computer account and added the service principal >> names like this in our AD >> >> #setspn -R jp-sys8 >> #setspn -A HTTP/jp-sys8.joma.de jp-sys8 #setspn -L jp-sys8 >> >> Registered ServicePrincipalNames for CN=jp-sys8,CN=Computers,DC=joma,DC=de: >> HOST/jp-sys8.joma.de >> HOST/jp-sys8 >> HTTP/jp-sys8.joma.de >> >> Now when I use kvno on my linux box it is possible to get the version >> like this >> >> # kvno HOST/jp-sys8 >> HOST/[email protected]: kvno = 2 >> >> but if I try HOST/jp-sys8.joma.de it`s not working... >> >> # kvno HOST/jp-sys8.joma.de >> kvno: Server not found in Kerberos database while getting credentials >> for HOST/[email protected] >> >> When I am adding HTTP/jp-sys8 as service principal it is the same >> HTTP/jp-sys8 works HTTP/jp-sys8.joma.de doesn`t. >> >> Is there anything i`ve missed? >> >> Thanks >> >> Ralf >> >> >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
